Information on Dell Cloud Manager tools and general perspectives on cloud computing.

10/20/2014

The Top 4 Cloud Security Issues – Part Two: Access Control and Authorization

This four-part blog series covers the top four challenges inherent in moving to the cloud (especially public cloud) and how to solve them.

So now you’re using your Infrastructure as a Service (IaaS) cloud, and are starting to run into some issues around who has access to your data, and what actions they can take. The first topic we covered was identity and authentication. Now, it’s time to talk about access control and authorization.

The issue around access control and authorization is closely related to the authentication issue covered in the last post: what can a user do once they have access to the cloud? Cloud providers tend to have little to no access control available, and even the best in this regard, Amazon Web Services, has inconsistent rules across their product suite. Additionally, there’s no consistency on how rules get applied, so the more cloud you use, the harder it gets to create equivalent rule sets. And then there are the more complex situations, like what happens if somebody leaves the company – or switches roles internally?

Fortunately, if you’ve handled issue #1 (identity and authentication), you have already taken a big step towards solving issue #2 as well. Once you are already sitting between the user and the cloud – via a tool like cloud management software - layering on access control is easy, relatively speaking, and by doing this before the user ever gets to the cloud, you can be as granular as you want. Furthermore, you aren’t even limited to role-based ACLs (access control lists) - you can apply attribute-based rules as well, such as restricting access at certain times. This allows more flexibility while increasing security and control overall.